I have been using the following endpoint to add an Administrator for a Team within a project.
$addTeamAdminUri = "https://dev.azure.com/{org}/{projuid}/_api/_identity/AddTeamAdmins?api-version=5.1-preview.1"
$teamAdminConfiguration = '{"teamId":"<teamguid>","newUsersJson":"[]","existingUsersJson":"[\"<userguid>\"]"}'
Until about a week or so ago, this would work with a Personal Access Token with Custom Scope where only some of the permissions were enabled.
However now, even if ALL the PAT permissions are enabled under Custom defined Access I still get a 401. The only way I can get this working is if I give the PAT Full Access. PAT is not expired. Anyone else experience this? I would prefer not to give Full Access.
Thanks in advance,
Jake.
What is the PAT scopes you set to run the REST API?
Please try the PAT with the scope "Project and Team: Read, write, & manage" to see if it can work.
In addition, I did not find the RESI API you are using from the Microsoft document. Where did you find this API? Please share the link of it. Thanks.
Related
I would like to run frontend end to end test from an azure devops pipeline, the website requires login using azure ad.
Unfortunately it is not easy to automate the login (sometimes involves sending code via email).
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize it when deployed to azure website.
What is the best way to have access to login protected website from azure pipeline?
Thanks
I think using an orgnization wide AD account is not secure, especially you're in a public cloud, that's why Azure provides a life-time limited project scope account. If you really want to use AD account, save its credentials in Azure Key Vault, then during the pipeline time, retrieve the credentials by the default project scope token, then you can do anything you want with the credentials.
I don't have a lot of experience regarding this, but I've done something similair using a Service Principal or Managed Identity.
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize
After a while I actually figured out that there was an identity provider configured, and there was kind of double authentication configured. After removing the jwt token started working perfectly.
In any case thanks a lot for your answers!
I used https://analytics.dev.azure.com/{orgname}/{ProjectName}/_odata/v2.0/WorkItemSnapshot REST API to fetch the active bug counts for past 60 days for the project in Azure devops. On using the custom scoped PAT to invoke the above API it threw unauthorized exception. Could you please tell me what permissions do I need to grant for PAT to access the workItemssnapshot API.
To use OData API to query work items in a project, you should have the following permissions at least:
On organization, your access level should be Basic.
In project, you should be a member of the project, and at least have Readers permissions. Make sure the permission View analytics is Allow for you.
For your personal access token (PAT), it should have the scopes Analytics(Read) and Work Items(Read).
I'm wondering what is the correct way to grant service accounts access to AzureDevOps. Ex: access to source code, API's, etc.
Since "Basic Authentication" was deactivated, I've been using personal access tokens but it seems awkward to login using a service account, generating the PAT, and so on. Also, since they are limited in time, we have to ensure renewal schedules/reminders for each connexions.
I am on the wrong track? Is there a more "natural" way to do it? Is SSH more adapted for this?
I've found this guide which helps but I can't find how (for example) granting a third-party application access to a project's repository.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PS: Service Connections and Service Hooks are not what I'm looking for.
What you are looking for probably is OAuth 2.0 Client Credentials Flow for Azure DevOps. Unfortunately Client Credentials Flow is not yet supported on Azure DevOps. See this thread Client Credentials Flow for Azure DevOps.
But, You can check out OAuth 2.0 auth code flow,which is now supported on Azure Devops. Please check out this detailed tutorial Authorize access to REST APIs with OAuth 2.0. This is an example to implement OAuth 2.0 auth code flow.
There are also Codes samples provided in above web link you mentioned in the question. You can checkout these samples to learn their authentication mechanism, and choose one that suits you most.
I cannot create a new organization named ''OnLineO'', as this name already exists.
I'm about sure it's me who created it a few time ago, but none of my logons run.
Must I send an email to Visual Studio Marketplace (VSMarketplace#microsoft.com) as stated in this post : Recovering access to an organization ?
Through the query, I found that your organization:"OnLineO" has been backed up to AAD:"OnLineO".
Please go to azure DevOps profile page,switch to OnLineO domain and try to login. Please do this in the new incognito window of browser. Note that your login account also needs to be backed up to AAD.
If you still cannot log in, please provide vsid as shown below. Pay attention to the processing of personal privacy information.
Sorry for the delay. If organization OnLineO is backed up to AAD "OnLineO", this is a great info, but I don't understand what it means... ?
On my DevOps profile page in an Invited session in Chrome (more isolated than incognito in other browsers), I am switched to OnLineO
DevOps profile page
It's when I try to create OnLineO as a New Organization that I get this message :
New Organization
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: